192.168 packets from the outside???

David Kramer david at thekramers.net
Wed Jun 25 22:20:53 EDT 2003 

I was going through my logwatch reports like a good little sysadmin, and I 
found something very unusual in there.  I saw packets from 192.168.11.85 
coming in on eth0 (my DSL connection to the outside world).  I thought that 
was a nonroutable address, so I was wondering how that was even possible.  
Could it have been source-routed packets?  My ipchains firewall has rules for 
both nonroutable addresses and source-routed packets, so I don't know.

I profess that the majority of the tcpdump-like/syslog-like packet reports 
mystifies me.  I just don't know what all the mnemonics stand for.  I 
understand the whole syn/ack thing, though.

messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:7878 L=52 S=0x00 I=45012 F=0x4000 T=44 (#20)
messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=45011 F=0x4000 T=44 (#20)
messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:9247 L=52 S=0x00 I=45014 F=0x4000 T=44 (#20)
   <snip>
messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:8382 L=425 S=0x00 I=33866 F=0x4000 T=44 (#20)
messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=33867 F=0x4000 T=44 (#20)

OK, as I write this email I'm finding out more things because I don't want to 
be called lazy.  And others might find this useful.  I found
http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-4.html
has a guide to the output.  Apparently the (#20) at the end means "ipchains 
rule #20".

[root at uni root]# ipchains -L input -n --line-numbers  | grep '^20'
20   DENY       all  ----l-  192.168.0.0/16       0.0.0.0/0             n/a

(this means list IPCHAINS rule for the chain "input", show IP addresses 
instead of domain names, and show the rule line numbers.)

So now I know that it was blocked because of the nonrouteable address, but it 
does not explain how it got to eth0 in the first place.

Thoughts?

As a side thought, it seems that it would be a few hours work to write a 
"tcpdump-to-English" converter and a "ipchains-syslog-to-English" converter.  
Now that I have found websites to explain it sufficiently, I am tempted to 
write one, but only if nothing like that already exists.  Has anyone heard of 
one?
----------------------------------------------------------------------------
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD  "Light is meaningful only in relation to darkness, and truth 
DKK D  presupposes error.  It is these mingled opposites which people our 
DK KD  life, which make it pungent, intoxicating.  We only exist in terms
DDDD    of this conflict, in the zone where black and white clash."
                                                  - Louis Aragon (1897-1982)

More information about the Discuss mailing list